Security flaw could allow hackers to create hotel master keys

Most hotel chains these days rely on some sort of electronic key card mechanism rather than more traditional locks.

Researchers at F-Secure have found that hotels worldwide are using an electronic lock system with a flaw that could be exploited by an attacker to gain access to any room in the building.

The attack involves using any ordinary electronic key to the target facility -- even one that's long expired, discarded, or used to access spaces such as a garage or closet. Using information on the key, the researchers are able to create a master key with privileges to open any room in the building. What's more the attack can be performed without being noticed, leaving no sign of entry.

"You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air," says Tomi Tuominen, practice leader at F-Secure Cyber Security Services. "We don't know of anyone else performing this particular attack in the wild right now."

F-Secure notified Assa Abloy -- the lock manufacturer -- of the findings and has collaborated with the firm over the past year to implement software fixes. Updates have been made available to affected properties.

"I would like to personally thank the Assa Abloy R&D team for their excellent cooperation in rectifying these issues," says Tuominen. "Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible."